def test_invalid_request(self): """If the request is invalid, return None.""" eq_(decode_signed_request('invalid()', 'secret'), None) eq_(decode_signed_request('invalid().withdot', 'secret'), None) signature = modified_url_b64encode('secret') payload = modified_url_b64encode('notjson') eq_(decode_signed_request('.'.join((signature, payload)), 's'), None)
def test_invalid_secret(self): """ If the secret used for decoding doesn't match the secret used for encoding, return None. """ payload = create_payload() signed_request = self.create_signed_request(payload, 'secret') eq_(decode_signed_request(signed_request, 'other_secret'), None)
def deauthorize(request): """ Callback that is pinged by Facebook when a user de-authorizes the app. Deletes the associated user and all their data. Returns a 400 if the signed request is missing or malformed, a 404 if the specified user could not be found, and a 200 if the removal was successful. """ signed_request = request.POST.get('signed_request', None) if signed_request is None: return JSONResponseBadRequest({'error': 'No signed_request parameter ' 'found.'}) decoded_request = decode_signed_request(signed_request, settings.FACEBOOK_APP_SECRET) if decoded_request is None or 'user_id' not in decoded_request: return JSONResponseBadRequest({'error': 'signed_request invalid.'}) user = get_object_or_404(FacebookUser, id=decoded_request['user_id']) FacebookUser.objects.purge_user_data(user) return JSONResponse({'success': 'User data purged successfully.'})
def load_app(request): """ Create or authenticate the Facebook user and direct them to the correct area of the app upon their entry. """ signed_request = request.POST.get('signed_request', None) if signed_request is None: # App wasn't loaded within a canvas, redirect to the home page. return redirect('base.home') decoded_request = decode_signed_request(signed_request, settings.FACEBOOK_APP_SECRET) if decoded_request is None: return redirect('base.home') # If user is using Safari, we need to apply the cookie workaround. useragent = request.META.get('HTTP_USER_AGENT', '') using_safari = 'Safari' in useragent and not 'Chrome' in useragent workaround_applied = SAFARI_WORKAROUND_KEY in request.COOKIES if using_safari and not workaround_applied: return fb_redirect(request, absolutify(reverse('facebook.safari_workaround')), top_window=True) user, created = (FacebookUser.objects. get_or_create_user_from_decoded_request(decoded_request)) if user is None: # User has yet to authorize the app, redirect to the pre-auth promo. return fb_redirect(request, absolutify(reverse('facebook.pre_auth_promo'))) # Attach country data to the user object. This can only be retrieved from # the decoded request, so we add it here and login saves it. user.country = decoded_request['user'].get('country', user.country) # User has been authed, let's log them in. login(request, user) return fb_redirect(request, absolutify(reverse('facebook.banner_list')))
def deauthorize(request): """ Callback that is pinged by Facebook when a user de-authorizes the app. Deletes the associated user and all their data. Returns a 400 if the signed request is missing or malformed, a 404 if the specified user could not be found, and a 200 if the removal was successful. """ signed_request = request.POST.get('signed_request', None) if signed_request is None: return JSONResponseBadRequest( {'error': 'No signed_request parameter ' 'found.'}) decoded_request = decode_signed_request(signed_request, settings.FACEBOOK_APP_SECRET) if decoded_request is None or 'user_id' not in decoded_request: return JSONResponseBadRequest({'error': 'signed_request invalid.'}) user = get_object_or_404(FacebookUser, id=decoded_request['user_id']) FacebookUser.objects.purge_user_data(user) return JSONResponse({'success': 'User data purged successfully.'})
def test_valid_request(self): """If the signed request is valid, return the decoded payload.""" payload = create_payload() signed_request = self.create_signed_request(payload, 'secret') eq_(decode_signed_request(signed_request, 'secret'), payload)
def test_invalid_algorithm(self): """If the declared algorithm isn't supported, return None.""" payload = create_payload(algorithm='not-supported') signed_request = self.create_signed_request(payload, 'secret') eq_(decode_signed_request(signed_request, 'secret'), None)